A new data-wiping malware called PathWiper has been discovered by Cisco Talos targeting a critical infrastructure entity in Ukraine. The attack was carried out using a legitimate endpoint administration framework, indicating that the attackers had access to the administrative console. This allowed them to issue malicious commands and deploy PathWiper across connected endpoints. The malware is believed to be the work of a Russia-linked advanced persistent threat (APT) actor based on observed tradecraft and capabilities.
PathWiper operates by creating threads per drive and volume to overwrite data with random bytes, targeting specific artifacts such as Master Boot Record (MBR), $MFT, $MFTMirr, and others. The malware is designed to irreversibly destroy files on disk and attempts to dismount volumes. The attack mimicked actions of the administrative utility’s console, suggesting prior knowledge of the victim enterprise’s environment.
The discovery of PathWiper comes amidst reports of Silent Werewolf conducting campaigns to infect companies in Moldova and Russia with malware. The group uses loader instances to retrieve malicious payloads, with targets including nuclear, aircraft, and mechanical engineering sectors. Another threat, the pro-Ukrainian hacktivist group BO Team, has been targeting Russian state-owned companies and organizations with cyber assaults. The group uses post-exploitation frameworks like Mythic and Cobalt Strike, as well as known commodity malware families such as DarkGate and Remcos RAT.
BO Team’s activities include destroying file backups, dropping the Babuk encryptor for ransom demands, setting up persistence using scheduled tasks, and running various commands to collect information about the target systems. The group poses a significant threat to Russian organizations due to its unconventional approach and use of a wide arsenal of malware.
Overall, the evolving landscape of cyber threats highlights the ongoing risk to critical infrastructure, particularly in the context of the Russia-Ukraine conflict. The unique profiles of these threat actors underscore the need for continued vigilance and proactive cybersecurity measures.
